ASA-201907-3 log generated external raw

[ASA-201907-3] python2-django: silent downgrade
Arch Linux Security Advisory ASA-201907-3 ========================================= Severity: High Date : 2019-07-06 CVE-ID : CVE-2019-12781 Package : python2-django Type : silent downgrade Remote : Yes Link : Summary ======= The package python2-django before version 1.11.22-1 is vulnerable to silent downgrade. Resolution ========== Upgrade to 1.11.22-1. # pacman -Syu "python2-django>=1.11.22-1" The problem has been fixed upstream in version 1.11.22. Workaround ========== None. Description =========== An HTTP request is not redirected to HTTPS when the SECURE_PROXY_SSL_HEADER and SECURE_SSL_REDIRECT settings are used, and the proxy connects to Django via HTTPS. In other words, django.http.HttpRequest.scheme has incorrect behavior when a client uses HTTP. Impact ====== A remote attacker is able to perform a man-in-the-middle attack if a HTTP request is not redirected to HTTPS. References ==========